use drupal_get_token() rather than custom code to validate callback URL? [#2684865]

Spotted this in passing:

/**
 * Return an md5 checksummed path.
 *
 * This allows us to create paths that's resistant to tampering. By appending
 * an md5 sum of the path and drupal_private_key, and checking the sum in
 * requests, it's not possible to change a path element. This means that we
 * can put data in the URL, and be sure it's not changed.
 */
 // TODO: use core token system instead?
function _quickpay_md5_path($path) {
  // The rand is to ensure failure if drupal_private_key haven't been set.
  return $path . '/' . md5($path . variable_get('drupal_private_key', rand()));
}

Could drupal_get_token() not be used here instead? This looks like the sort of thing it's used for, and it would simplify the code.

Comments

Comment #1

10 March 2016 at 11:18

joachim created an issue. See original summary.

Comment #2

xen commented 10 March 2016 at 12:11

No, because it's used for the callback URL (which is called by Quickpays server), and drupal_get_token() hashes the session_id in.

Wouldn't mind if this is refactored to use drupal_hmac_base64() instead of md5 though. Certainly it should use drupal_get_private_key(). And probably drupal_get_hash_salt() now we're at it.

Comment #3

joachim commented 10 March 2016 at 12:47

> drupal_get_token() hashes the session_id in.

Oh, of course -- it's the Quickpay server that's calling that, so not the user's session. Wasn't thinking, sorry!

Comment #4

joachim commented 10 March 2016 at 12:59

There was one other thing:

> // The rand is to ensure failure if drupal_private_key haven't been set.

I don't think it's possible for Drupal to not have this set -- it's created on site install.

Comment #5

joachim commented 10 March 2016 at 17:30

Actually, do we still need this, now that in Quickpay's v10 API, the callback POST gets a checksum based on the API key?

Comment #6

xen commented 10 March 2016 at 18:01

The rand() is not needed. If we use drupal_get_private_key() it will ensure that the site has a key, generating it if necessary.

The old API is already MD5ing the payload. But it's not that we're checking, we're ensuring that someone haven't tapered with the path. It's an extra defence as the path contains the module we call back. In theory, two modules could be using the same order id for payments, and without this Quickpay could be fooled into calling the wrong one. Very theoretical, but with this safety we don't have to consider the possibilities.

Comment #7

joachim commented 11 March 2016 at 10:49

Ok. I'll leave this as postponed, and copy the code you suggested from the other issue to here:

  return $path . '/' . drupal_hmac_base64($path, drupal_get_private_key() . drupal_get_hash_salt());

Comment #8

17 March 2016 at 20:57

Xen committed c9a9537 on 7.x-2.x

Issue #2684865 by Xen: Update path hashing

Comment #9

xen commented 17 March 2016 at 20:58

Version:	7.x-1.x-dev	» 7.x-2.x-dev
Status:	Postponed	» Fixed

Fixed in -dev.

Comment #10

31 March 2016 at 21:04

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

use drupal_get_token() rather than custom code to validate callback URL?

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

News items

Our community

Documentation

Drupal code base

Governance of community